Analysis
-
max time kernel
155s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 17:11
Static task
static1
Behavioral task
behavioral1
Sample
loader4.exe
Resource
win7-en-20211208
General
-
Target
loader4.exe
-
Size
245KB
-
MD5
de0aa0304f6880c7263d35fc7d487278
-
SHA1
e392b2e0163130093d1b4afddbd318266a02a386
-
SHA256
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a
-
SHA512
f8f8b94e4dc99524210487daf9a273a9ce44328a249afd372c72b360bfc3905cf034c713fb1052e9a3e51e58ad844fa18dd7ac12cbe183c1c998dfd5b4376d6e
Malware Config
Extracted
xloader
2.5
jdo2
adopte-un-per.com
lmandarin.com
shonemurawni.quest
bantasis.com
jsdigitalekuns.net
hiddenroom.net
arungjerampangalengan.com
yinghongxw.com
buzzcupid.com
lattent.digital
faxtoemailguide.com
romanticfriryrose.com
ruleaou.com
mochiko-blog.com
sekireixploit.com
bcx-wiremesh.com
jobportalsg.com
wysspirit.com
iflycny.com
sh-cy17.com
kryptolaunches.com
studio-levanah.com
iotnews.xyz
scznjt.com
puppizy.com
sportax.store
musicnjoy.art
thenerdyarkade.com
prelacies.info
eastwebdesign.com
clients-schwab.com
freemsw.com
propertytaxtt.com
camelammo.com
udidactica.com
nutriorlando.com
logichome.store
brickge.com
gnews24.press
cryptofuelcars.com
giftcodefreefirevns.com
xn--wnys27c.xyz
123sabi.com
drnxskop.xyz
guiadescontopromocional.com
traderro.com
oilsandsresources.com
dosmed.store
bullmediamarketing.com
brainnwave-uk.com
situspokergames.club
lowestfars.com
x99av2.xyz
bungaauraprediction.com
companyintel.direct
netzastronaut.com
abouttofeast.com
roleplaysaga.com
postkz.host
sobheweb.com
exit-10-exodus.com
oxanger.com
onehundredwomennash.com
decamento.com
remover-erro.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/664-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/560-63-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1152 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
loader4.exepid process 1612 loader4.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
loader4.exeloader4.execontrol.exedescription pid process target process PID 1612 set thread context of 664 1612 loader4.exe loader4.exe PID 664 set thread context of 1300 664 loader4.exe Explorer.EXE PID 560 set thread context of 1300 560 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
loader4.execontrol.exepid process 664 loader4.exe 664 loader4.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe 560 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
loader4.execontrol.exepid process 664 loader4.exe 664 loader4.exe 664 loader4.exe 560 control.exe 560 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
loader4.execontrol.exedescription pid process Token: SeDebugPrivilege 664 loader4.exe Token: SeDebugPrivilege 560 control.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
loader4.exeExplorer.EXEcontrol.exedescription pid process target process PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1612 wrote to memory of 664 1612 loader4.exe loader4.exe PID 1300 wrote to memory of 560 1300 Explorer.EXE control.exe PID 1300 wrote to memory of 560 1300 Explorer.EXE control.exe PID 1300 wrote to memory of 560 1300 Explorer.EXE control.exe PID 1300 wrote to memory of 560 1300 Explorer.EXE control.exe PID 560 wrote to memory of 1152 560 control.exe cmd.exe PID 560 wrote to memory of 1152 560 control.exe cmd.exe PID 560 wrote to memory of 1152 560 control.exe cmd.exe PID 560 wrote to memory of 1152 560 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader4.exe"C:\Users\Admin\AppData\Local\Temp\loader4.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader4.exe"C:\Users\Admin\AppData\Local\Temp\loader4.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\loader4.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdF153.tmp\esuhbnkmi.dllMD5
0b413fd318116a350c284756fd075656
SHA1e89886c492c5183a9e1fa5e5af0ce08c5b6b0f2f
SHA2565db476cb59fd2f92f113ee07523cf1f9dd620e2f17557ac6914a58cab23e9d07
SHA512566ae6e7b8a0882954f801028614d741aec451aa9477132528b016cc0e7581090aa3d575b4c7eda0c1ca54a7f8cbd0717df800fabef3a64675ca4a38d23e1299
-
memory/560-62-0x0000000000720000-0x000000000073F000-memory.dmpFilesize
124KB
-
memory/560-63-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/560-64-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/560-65-0x00000000005F0000-0x0000000000680000-memory.dmpFilesize
576KB
-
memory/664-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/664-58-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/664-59-0x00000000002C0000-0x0000000000429000-memory.dmpFilesize
1.4MB
-
memory/1300-60-0x0000000004190000-0x000000000423E000-memory.dmpFilesize
696KB
-
memory/1300-66-0x0000000006970000-0x0000000006AC9000-memory.dmpFilesize
1.3MB
-
memory/1612-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB